The CardSystems blame game

Comment On July 21, 2005, the United States House of Representatives Committee on Financial Services, Subcommittee on Oversight held a hearing on Credit Card Data Processing: How Secure Is It?" Of course, just by asking the question,you already know what the answer is going to be: not a disaster, but about as secure as you might imagine.

John Perry, CEO of CardSystems minimized the impact of the data breach, testifying that the attackers wrote a shell script designed to dump transaction records for "incompleted" transactions (which were stored by CardSystems for "research purposes") to an FTP site. Perry stated that there were only 239,000 discrete account numbers FTP'd, and that they have not been notified that any of these card numbers were used fraudulently. Yet.

None of this is surprising. One of the first things you do when confronted with a public relations problem is to minimize the extent of the problem. Lawyers do this all the time, exclaiming things like "My dog didn't bite you, my dog doesn't bite, I don't own a dog." The next thing to do, of course, is to find someone else to blame. In the case of CardSystems, they reportedly found someone who wasn't at the table to blame - not VISA, not MasterCard, not their sponsoring bank, and not their customers. They blamed their auditors and consultants.

In his testimony, Perry noted that CardSystems had undergone a CISP audit by consultants from Cable and Wireless in December of 2003 (17 months before the incident), and that there were "do deficiencies" that did not have adequate compensating controls. Thus, according to Perry's live testimony, it was Cable and Wireless's fault. Oh, and while he was at it, he also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.

Cable and Wireless claimed that there was nothing wrong with its audit, and that it was simply retained to audit the systems that were used to process the payment information. If there was a separate system used to store transactional data not connected to the processing system, or a system not within the scope of the audit, it was not examined.

Meeting of the minds

The relationship between consultant and client is almost always one based on a consulting agreement. The case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling.

In the case of CardSystems and Cable and Wireless, CardSystems thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought it was purchasing "hacker insurance" and a guarantee that they would never be subject to attack. At a minimum, CardSystems was seeking a "Certificate of Assurance" that it was compliant with all the relevant standards. As we will see, even this latter assumption may be unrealistic.

When a client retains a consultant or an auditor to perform services, the client has a right to expect (and in fact to put into the contract) a level of professionalism, knowledge, and expertise commensurate with the standards of the industry (assuming, of course that there are such standards.)

Toward this end, companies should be aware that, with some exceptions, you do get what you pay for. If your consultants show up with purple hair, pierced eyebrows, their resume indicates the name "acid rain" and includes three prior arrests for computer hacking under "qualifications," you may think twice about giving that individual the keys to the financial network - or, at least giving them the only keys. (I can see the flames I will get from the hacker community already.) However, you should look for a level of expertise and knowledge commensurate with the tasks included in the Statement of Work. Price is, of course, a major consideration for selecting consultants, security services, or auditing, but let's face it, it is performance at a particular price that you are seeking.

Hiring a consultant?

One area where the consultant/client relationship inevitably breaks down is in the areas of vaporware on the one hand, and mission creep on the other. Vaporware is when the consultant claims expertise in every field of endeavor, and in reality has little ability to perform on any of them. You know the type . Whatever you ask them to do, they say, "Oh yes, we do that..." Consulting... sure. Incident response... of course. Forensics.. it's like a second language to me... COBOL, GNU, Linux, Unix, Windows, Mac, Sega, Amiga, Atari, OS2, Ada... sure we do all that.

Now, to be sure, there are consultants who have multiple areas of expertise, both broad and deep. Just make sure you check out all their relevant qualifications. Hold your consultants to their promises as well. The marketing materials and sales slicks may be just that: slick. What matters is what is in the contract. Almost every contract contains the clause "This contract is the entire agreement between the parties, and the parties are not relying on anything else..." If you are relying on something else (like the salesperson's promise that the beta he showed you will be in production in two weeks) then put that assumption in the contract!

Mission creep is when the consumer of the consulting services says the four words a consultant always hates, "oh by the way." Invariably, the scope of the project differs from that which was assumed by the parties. The network diagrams provided to scope the task date to the previous millennium (that is, 1,000 AD), and now the marketing guys want to add new things to the task. All of that is fine, but it may end up costing you more if it is not expressly in the Scope of Work.

Define the consulting terms

In the Fourth (that is technically the first) Star Wars movie, the Imperial Storm Troopers confront young Luke and Obi Wan Kenobi seeking R2D2 and C3PO, the droids with the stolen plans to the Death Star. Under questioning, Sir Alec Guiness as Obi Wan dismissively waves his hand announcing "you don't need to see his papers... these aren't the droids you are looking for. Move along..." While we don't know all the facts (OK, we don't know ANY of the facts) it is likely that something like this happened in the CardSystems case. The security consultants were likely told that they didn't have to worry about the computers that contained the historical data. After all, it was just for "research purposes," and was not part of the payments processing that they were auditing.

Each party to the consulting agreement makes assumptions about the scope of the work, what the other side knows and doesn't know, and what they expect. A well executed contract and deliverable makes these assumptions clear.

Finally, companies need to understand what exactly they are buying when they retain either a consultant or an auditor. They are NOT buying a guarantee that they will not be hacked, or even a guarantee that every vulnerability has been found and abated. Or, if they are buying that, they certainly are underpaying! They must also understand that the value of the final product is dependent upon the consultant being given access to all critical systems (and the systems upon which they depend), and on full, honest and truthful answers from staff about how things are actually done. I am reminded of my trips to the dentist, where the hygienist inevitably asks if I floss after every meal, and I, with a straight face, invariably lie that I do so religiously. Do you think the hygienist can tell?

The quality of the report will be dependent upon the quality of the cooperation, but competent consultants (like competent hygienists) should understand that there is a disparity between observation and reality.

These issues are sure to become more significant as companies, under pressure from laws like Sarbanes Oxley, HIPAA, GLBA and the card industry CISP standards rely on consultants with expertise in these areas to help the navigate the shoals of Scylla and Charybdis. In the name of full disclosure, I should point out that my employer is one of these companies.

What does a security audit provide?

Companies that retain consultants or auditors are entitled to put their security auditors to the test - and to rely on their findings and recommendations. They are entitled to honest appraisals based upon appropriate and agreed upon standards. They deserve consultants that are responsive, professional, and deliver what they have promised. However, all parties must understand that security is a journey, not a destination. Ultimately, it is the client - the bank, the hospital, the insurance company, the credit card processor and not the consultant or auditor - that has the relationship with their customer, that is a fiduciary of their customer's information, and whose reputation suffers from a breach of security.

It behooves all parties to know what they are buying and selling in a professional services contract. And remember, the only "guarantees" in life are death and taxes, and I am not even that sure about death.